Puzzle #5 Winners

Don Jackson submitted the solution that we picked as the winner of this contest. We were very impressed with the thoroughness of his description, with the attention to detail, and with the focus on network-related aspects of the incident. Reading Don’s solution made us feel like we are looking over the shoulder of the forensic analyst, as he formed theories and looked for evidence to substantiate or disprove them. Great job, Don, and congratulations on winning the Lenovo Ideapad netbook!

We also wanted to mention several other solutions that ranked close to the top:

We were impressed by the in-depth dive yulyul2003 took when looking at the inner-workings of the malicious executable. Though this level of detail was a bit outside the scope of this puzzle, we liked the analysis yulyul2003 performed of the infection and rootkit-related functionality of the specimen. This solution also provides excellent details regarding the infection mechanism.

Eugenio Delfa created a handy tool called castflow for carving PCAP files, which he used to extract files from the network traffic capture. Eugenio also performed some behavioral analysis of the malicious executable in the lab–we appreciated seeing these details in his write-up.

Iñaki Rodríguez showcased the use of tshark for analyzing network traffic–very nice. We also liked the use of Snort by dn1nj4 to examine the network traffic capture for signs of malicious activity.

Thanks to everyone who participated in this puzzle!

Ahmed Adel Mohamed

Alan Tu

Ashish, Garima, Vikrant

Bobby

Candice Quates

Chet Kress

Dave Eilert

Don Jackson (winning submission)

Gaurav

Jeff Wichman

Joe Creasey

Masashi Fujiwara

Matt Erasmus

Param Singh

Parin

Peter Chong

Scott Cubic

Shane Kennedy

Takuro Uetori

Tareq Saade

Victor Ant Torre

Winter Faulk